Leveraging DNSSEC to protect BGP


It’s not news to anyone involved in the deployment of DNSSEC, but some of the Internet protocols we use today were designed years ago, when the Internet itself was as much a research project as the research projects it helped facilitate at university and government or government-funded institutions. Many of the insecure protocols of those days have been replaced or augmented by more secure versions. Telnet and rlogin/rsh have given way to ssh. There’s now HTTPS in addition to HTTP and many other protocols now support end-to-end security using SSL/TLS.

Even with all of these changes to transport and application-level security, infrastructure security has lagged behind. DNSSEC is one piece of the puzzle to secure the infrastructure. It ensures that the mappings that DNS provides — that are required by just about every other protocol and application on the Internet — are the ones intended by domain owners.

But even having validating mappings that result in, among other things, IP addresses is insufficient. Another piece of infrastructure — this one far more hidden from end users than DNS — is routing. Specifically, it’s the Border Gateway Protocol (BGP) that is used to identify how packets should flow between corporate and ISP networks across the Internet to get to their intended recipients.

BGP has been under study to improve its security for as long as DNS. Many of the same organizations that have funded or performed work on improving DNS security have done the same for BGP.  The US Department of Homeland Security, which funds the DNSSEC Deployment Initiative, has also funded work on securing BGP.

As reported in The Register, those securing BGP are benefiting from the deployment of DNSSEC with the development of BGP Route Origin Verification (ROVER).  According to the article,

Several early adopter telcos and ISPs are in the process of publishing route origins in their reverse DNS and signing with DNSSEC. In addition, Secure64 has established a Rover Testbed available at “rover.secure64.com” (registration required).

This adds BGP to the growing list of protocols and services that can benefit from leveraging DNSSEC deployment.

Comments are closed.